Server Security: Layer by Layer
By Jim Jagielski
The more popular the Web site, the more attractive a target the server becomes to various crackers. For the Webmaster of a multiuser/multidomain Web server, locking down the server is difficult. After all, it needs to be open enough to let users upload pages, update their sites, and control their content. Not only that, but as a server administrator, you're likely to install additional modules, or enable functionality (such as server-side includes) that, unless configured correctly, could result in security problems.
Basic Server Security
A secure Web server starts with the server itself. This means making the underlying hardware, operating system (let's assume Unix), and network as secure as possible. Unix has a reputation for being a security nightmare, but it doesn't deserve this reputation. It's a stable, fast, and secure platform. It's true that when Unix was first designed, security wasn't a major factor in its development (in fact, Unix favored openness as much as possible). But it still has an excellent permissions and user system for controlling access to files and directories. After all, the Internet was designed on, and is still heavily based on Unix. Additionally, if you use a popular open-source Unix distribution, like Linux, the developer community quickly finds and patches security holes.
There are many items to consider when determining the total security of a Web server (see
|
